Collision Attacks, Message Digests and a Possible solution

Posted by Dominar on Stack Overflow See other posts from Stack Overflow or by Dominar
Published on 2011-01-14T05:40:28Z Indexed on 2011/01/14 5:53 UTC
Read the original article Hit count: 538

I've been doing some preliminary research in the area of message digests. Specifically collision attacks of cryptographic hash functions such as MD5 and SHA-1, such as the Postscript example and X.509 certificate duplicate.

From what I can tell in the case of the postscript attack, specific data was generated and embedded within the header of the postscript (which is ignored during rendering) which brought about the internal state of the md5 to a state such that the modified wording of the document would lead to a final MD equivalent to the original. The X.509 took a similar approach where by data was injected within the comment/whitespace of the certificate.

Ok so here is my question, and I can't seem to find anyone asking this question:

  1. Why isn't the length of ONLY the data being consumed added as a final block to the MD calculation?

  2. In the case of X.509 - Why is the whitespace and comments being taken into account as part of the MD?

Wouldn't a simple processes such as one of the following be enough to resolve the proposed collision attacks:

  1. MD(M + |M|) = xyz
  2. MD(M + |M| + |M| * magicseed_0 +...+ |M| * magicseed_n) = xyz

where :

  1. M : is the message
  2. |M| : size of the message
  3. MD : is the message digest function (eg: md5, sha, whirlpool etc)
  4. xyz : is the acutal message digest value for the message M
  5. magicseed_{i}: Is a set random values generated with seed based on the internal-state prior to the size being added.

This technqiue should work, as to date all such collision attacks rely on adding more data to the original message.

In short, the level of difficulty involved in generating a collision message such that:

  1. It not only generates the same MD
  2. But is also comprehensible/parsible/compliant
  3. and is also the same size as the original message,

is immensely difficult if not near impossible. Has this approach ever been discussed? Any links to papers etc would be nice.

© Stack Overflow or respective owner

Related posts about cryptography

Related posts about mathematical